Comment by shadowgovt
5 hours ago
The problem is that the philosophy doesn't extend to networking.
You are free to do whatever you want with your hardware. Rip the chip out and install firmware that will boot anyway when the missing chip doesn't POST.
... and when you try to connect to my server, I will send a challenge-response that you needed that chip to answer. When that fails, I'm free to do what I want with my hardware. Which is drop or reject your incoming request because I don't trust you.
So far, this situation has been stable because it's a lot more valuable to me to trust you than not; the benefit I get from having you as a user outweighs the harm that can happen if your machine has been modified and does something that breaks my protocols. In fact, the rule on the Internet has basically been "What happens in your house you have control over; what comes in from the outside is assumed to be pure screaming madness until it's validated" for that reason (among others).
... but validation is expensive and I can see why some companies would want to push the whole validation story onto "We use attestation to confirm that we can trust the software works the way we expect it to on the other side of the machine." I personally think it's a bit of a dumb experiment (I don't trust attestation itself to succeed, not when the end-user fundamentally still owns the device and every hacker on the planet can attack the attestation protocol all day if they want; I haven't seen a system that pretends it controls both sides of the network ultimately succeed yet and I don't expect I will this time either). But if companies want to win stupid prizes I don't think we need to do anything more than "not work with them" to help them along.
It's hard to do otherwise without doing injury to the core concept "You own your own machine" whether 'you' is one person with a smartphone or a corporation with a datacenter.
> It's hard to do otherwise without doing injury to the core concept "You own your own machine" whether 'you' is one person with a smartphone or a corporation with a datacenter.
It's not hard at all. In fact it's easy. Simply recognize the basic fact that corporations are not even human to begin with. Adopt a user maximalist philosophy. Classify the corporations as second class citizens, below us in importance. We absolutely should own our machines. Corporations? Maybe, if they behave. Remember: they are not even human.
If they're abusing their freedom to exert undue influence on us humans, simply take the freedom away. They exist to serve us, not the other way around. And they need to serve us on our terms, not their shareholder value maximizing terms. Their reward for serving us is not just the money they make, it is their continued existence. They are not human lives that inherently deserve to be protected, they exist because people allow it.
Wanna see how easy it can be?
> I will send a challenge-response that you needed that chip to answer
Pass a computer neutrality and interoperability law which states that if you're a company and you have public servers then they must take requests from all clients. It doesn't matter if it's OpenAI or a tamagotchi, all computers must be able to participate in the system.
This allows you as a private person to keep your servers secure with challenge response while restricting the ability of corporations to abuse us with their attestation nonsense.